Implementing ISO 27001:2013

1. Implementing ISO 27001:2013
2.  
3. Plan
4.  
5.  
6. 1. Obtain top management approval for implementation of ISO 27001:2013 based ISMS in the organization
7. 2. Gather information about the organization and its industry
8. 3. Understand the organization industry
9. 4. Gather background information about the organization products and services
10. 5. Understand the organization external and internal issues
11. 6. Identify the organization competitors
12. 7. Identify the organization’s interested parties
13. 8. Understand needs and expectations of interested parties
14. 9. Understand the organization’s legal, regulatory and contractual requirements
15. 10. Understand interfaces and interdependencies between activities performed by the organization
16. 11. Understand the organization ISMS requirements
17. 12. Understand the requirements of interested parties relevant to the ISMS
18. 13. Determine scope for ISMS implementation (locations, sites and/or functions ready to implement ISMS)
19. 14. Define overall IS Policy, including IS Objectives, applicable business requirements and top management commitment for continual improvement
20. 15. Define risk assessment process (risk assessment criteria and risk acceptance criteria)
21. 16. Define risk treatment process
22. 17. Develop project plan for ISO 27001:2013 based ISMS implementation
23. 18. Present project plan to the top management for approval and secure top management assurance for the project and necessary support and resources
24.  
25. Do
26.  
27.  
28. 19. Define IS objectives at all relevant functions and levels
29. 20. Perform risk assessment
30. a. Identify IS risks
31. b. Identify Risk Owners
32. c. Analyze IS risks (assess consequences, likelihood and risk level)
33. d. Evaluate IS Risks (compare with risk criteria and prioritizing)
34. 21. Perform risk treatment
35. a. Select appropriate controls
36. b. Compare controls with Annex A of ISO 27001:2013 Standard
37. c. Develop SoA
38. d. Develop Risk Treatment Plans
39. 22. Obtain Risk Owners’ approval
40. 23. Implement risk treatment plans (Staff, Infrastructure, technical controls, managerial controls such as Employment/Contract agreements, NDA etc.)
41. 24. Define ISMS performance measurements and metrics
42. 25. Develop ISMS Audit program plan
43. 26. Define and assign ISMS roles and responsibilities
44. 27. Develop necessary IS documentation
45. 28. Develop ISMS Communication Plan considering all ISMS interested parties
46. 29. Conduct necessary IS training to employees and contractors
47. 30. Carry necessary IS awareness initiatives
48. 31. Operate ISMS (record IS events, activities, communications, changes, incidents, accidents and NCs)
49.  
50. Check
51.  
52.  
53. 32. Check ISMS performance periodically
54. a. Various ISMS performance measurements and metrics
55. b. Conduct periodic risk assessments (RA/KPI/KRI)
56. c. Perform periodic internal and regulatory audits (IA)
57. d. Collect feedback from interested parties
58. e. Carry periodic Management Reviews for reviewing ISMS performance
59. 33. Report to appropriate management in defined time intervals
60.  
61. Act
62.  
63.  
64. 34. Decide on corrective actions to be taken
65. 35. Develop plans for implementing ISMS improvements
66.